Issue: This issue occurs when you are trying to connect your application to a third party or any other ssl secure host.
Error message:
<[Date and Time stamp] 000000ce SystemOut O CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=hostname, OU=ouname, O=organization name, L=location name, ST=state, C=country code" was sent from target host:port " dnsname:443". The signer may need to be added to local trust store "<config path>/cells/localhostCell01/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by OU=organization unit name, O="signername", C=country code is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error".>
You have to add the signer certificate of the host name with which the ssl handshake failure occured to the truststore of your WAS.
Following screenshots guide you to import the certificates to truststore(trust.p12):
you will see a screen with host,port and alias fields, Fill the
Apply and save the file. Now the certificate will be added to the WAS trust store.
Restart of the server is required to get the changes reflected.
Error message:
<[Date and Time stamp] 000000ce SystemOut O CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=hostname, OU=ouname, O=organization name, L=location name, ST=state, C=country code" was sent from target host:port " dnsname:443". The signer may need to be added to local trust store "<config path>/cells/localhostCell01/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by OU=organization unit name, O="signername", C=country code is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error".>
Solution: The solution is hidden in the error message itself.
You have to add the signer certificate of the host name with which the ssl handshake failure occured to the truststore of your WAS.
Following screenshots guide you to import the certificates to truststore(trust.p12):
-> Navigate to the security -> ssl certificate and key management section.
-> Navigate to Keystores and certificates -> NodeDefaultTrustStore
-> Under additional properties, Click on signer certificates.
In case if you have the certificate from the host owner, You can directly import the certificate by clicking on add button.
However, If you don't have the certificate, You can still pull the certificate using the "retrieve from port" button.
you will see a screen with host,port and alias fields, Fill the
Hostname: The common name from the error message
Portnumber: 636 or 443 (this can be taken from the error)
Alias: Choose any alias name and click on retrieve signer information.
Apply and save the file. Now the certificate will be added to the WAS trust store.
Restart of the server is required to get the changes reflected.
(:Happy Learning:)
0 comments:
Post a Comment